参考文档:http://blog.51cto.com/ls40905250/1915280
https://blog.csdn.net/zsjwish/article/details/79792212
https://blog.csdn.net/yanggd1987/article/details/50469113
安装logstash的geoip插件,使logstash可以获取到国家及城市信息
yum install GeoIP-data -y
修改原logstash配置文件
input{
redis {
host => "192.168.56.11"
port => "6379"
password => "123456"
db => "3"
data_type => "list"
key => "system-log-5611"
}
redis {
host => "192.168.56.11"
port => "6379"
password => "123456"
db => "4"
data_type => "list"
key => "nginx-log"
}
}
filter{
if "nginx-log" in [tags] {
json{
source => "message"
}
if [user_ua] != "-" {
useragent {
target => "agent" #agent将过来出的user agent的信息配置到了单独的字段中
source => "user_ua" #这个表示对message里面的哪个字段进行分析
}
}
if [user_ip] != "-" {
geoip {
source => "user_ip"
target => "geoip"
# database => "/usr/share/GeoIP/GeoIPCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
}
}
output{
if "nginx-log" in [tags]{
elasticsearch{
hosts => ["192.168.56.11:9200"]
index => "logstash-nginx-log-%{+YYYY.MM}"
}
stdout{
codec => rubydebug
}
}
if "system-log-5611" in [tags]{
elasticsearch{
hosts => ["192.168.56.11:9200"]
index => "system-log-5611-%{+YYYY.MM}"
}
}
}
PS:filter检测过滤如果是nginx日志并且user_ip不为空则调用geoip插件
nginx的index设置需要在前面加logstash否则在kibana里面不识别
通过ip获取到的信息如下
系统自带的地图为英文地图,设置成中文地图,修改配置文件/etc/kibana/kibana.yml在尾部添加以下配置
tilemap.url: 'http://webrd02.is.autonavi.com/appmaptile?lang=zh_cn&size=1&scale=1&style=7&x={x}&y={y}&z={z}'
tilemap.options.minZoom: "1"
tilemap.options.maxZoom: "10"
重启kibana然后进web界面进行设置
最终效果图
